ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvuseauditjournals.htm

130 lines
8.2 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Use audit journals to monitor object activity" />
<meta name="abstract" content="You can use the audit journal to monitor object activity and to log security events." />
<meta name="description" content="You can use the audit journal to monitor object activity and to log security events." />
<meta name="DC.Relation" scheme="URI" content="rzamvmanauditjournal.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="useauditjournals" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Use audit journals to monitor object activity</title>
</head>
<body id="useauditjournals"><a name="useauditjournals"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Use audit journals to monitor object activity</h1>
<div><p>You can use the audit journal to monitor object activity and to
log security events.</p>
<p>When you want to analyze the audit information you have collected in the
QAUDJRN journal, you can use the Display Journal (DSPJRN) command. With this
command, information from the QAUDJRN journal can be written to a database
file. An application program or a query tool can be used to analyze the data. </p>
<p>If you include the *AUTFAIL value for system action auditing (the QAUDLVL
system value), the system writes an audit journal entry for every unsuccessful
attempt to access a resource. For critical objects, you can also set up object
auditing so the system writes an audit journal entry for each successful access. </p>
<p>The audit journal records only that the object was accessed. It does not
log every transaction to the object. For critical objects on your system,
you may want more detailed information about the specific data that was accessed
and changed. Object journaling can provide you with those details. Object
journaling is used primarily for object integrity and recovery. A security
officer or auditor can also use these journal entries to review object changes. <em>Do
not</em> journal any objects to the QAUDJRN journal. </p>
<div class="p">Journal entries can include: <ul><li>Identification of the job and user and the time of access</li>
<li>Before- and afterimages of all object changes</li>
<li>Records of when the object was opened, closed, changed, and saved</li>
</ul>
</div>
<p>A journal entry cannot be altered by any user, even the security officer.
A complete journal or journal receiver can be deleted, but this is easily
detected.</p>
<p>If you want to find out which journals are on the system,
use the Work with Journals (WRKJRN) command. If you want to find out which
objects are being journaled by a particular journal, use the Work with Journal
Attributes (WRKJRNA) command.</p>
<p><strong>Managing the audit journal and journal receivers</strong></p>
<p>The auditing journal, QSYS/QAUDJRN, is intended <em>solely</em> for security
auditing. Objects should not be journaled to the audit journal. Commitment
control should not use the audit journal. User entries should not be sent
to this journal using the Send Journal Entry (SNDJRNE) command or the Send
Journal Entry (QJOSJRNE) API.</p>
<div class="p">Special locking protection is used to ensure that the system can write
audit entries to the audit journal. When auditing is active (the QAUDCTL system
value is not *NONE), the system arbitrator job (QSYSARB) holds a lock on the
QSYS/QAUDJRN journal. You cannot perform certain operations on the audit journal
when auditing is active, such as:<ul><li>DLTJRN command</li>
<li>ENDJRN<em>xxx</em> command</li>
<li>APYJRNCHG command</li>
<li>RMVJRNCHG command</li>
<li>DMPOBJ or DMPSYSOBJ command</li>
<li>Moving the journal</li>
<li>Restoring the journal</li>
<li>Operations that work with authority, such as the GRTOBJAUT command</li>
<li>WRKJRN command</li>
</ul>
</div>
<p>All security entries in the audit journal have a journal code of <samp class="codeph">T</samp>.
In addition to security entries, system entries also appear in the journal
QAUDJRN. These are entries with a journal code of <samp class="codeph">J</samp>, which
relate to initial program load (IPL) and general operations performed on journal
receivers (for example, saving the receiver).</p>
<p>If damage occurs to the journal or to its current receiver so that the
auditing entries cannot be journaled, the QAUDENDACN system value determines
what action the system takes. Recovery from a damaged journal or journal receiver
is the same as for other journals.</p>
<p>You may want to have the system manage the changing of journal receivers.
Specify MNGRCV(*SYSTEM) when you create the QAUDJRN journal, or change the
journal to that value. If you specify MNGRCV(*SYSTEM), the system automatically
detaches the receiver when it reaches its threshold size and creates and attaches
a new journal receiver. This is called <em>system change-journal management</em>. </p>
<p>If you specify MNGRCV(*USER) for the QAUDJRN, a message is sent to the
threshold message queue specified for the journal when the journal receiver
reaches a storage threshold. The message indicates that the receiver has reached
its threshold. Use the CHGJRN command to detach the receiver and attach a
new journal receiver. This prevents Entry not journaled error conditions.
If you do receive a message, you must use the CHGJRN command for security
auditing to continue. </p>
<p>The default message queue for a journal is QSYSOPR. If your installation
has a large volume of messages in the QSYSOPR message queue, you may want
to associate a different message queue, such as AUDMSG, with the QAUDJRN journal.
You can use a message handling program to monitor the AUDMSG message queue.
When a journal threshold warning is received (CPF7099), you can automatically
attach a new receiver. If you use system change-journal management, then message
CPF7020 is sent to the journal message queue when a system change journal
is completed. You can monitor for this message to know when to do a save of
the detached journal receivers. </p>
<div class="attention"><span class="attentiontitle">Attention:</span> The automatic cleanup function provided using Operational
Assistant menus does not clean up the QAUDJRN receivers. You should regularly
detach, save, and delete QAUDJRN receivers to avoid problems with disk space.
See the Journal management topic for complete information about managing journals
and journal receivers.</div>
<div class="note"><span class="notetitle">Note:</span> The QAUDJRN journal is created during an IPL if it does
not exist and the QAUDCTL system value is set to a value other than *NONE.
This occurs only after an unusual situation, such as replacing a disk device
or clearing an auxiliary storage pool.</div>
<p>For more information on the audit journal entries, see <span class="q">"Appendix F"</span> in
the <a href="../rzahg/rzahgsecref.htm">iSeries™ Security
Reference</a>.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvmanauditjournal.htm" title="How to manage the journal receivers.">Manage the journal receivers</a></div>
</div>
</div>
</body>
</html>